A New Exploit Kit in Neutrino

Robust and stealthier toolkits are predicted to emerge this year. This was first seen when the WhiteHole Exploit Kit appeared in the threat landscape. It took advantage of several vulnerabilities including the infamous CVE-2013-0422.

Additionally, there have been reports of another new exploit kit called “Neutrino” being sold in the underground. The exploit, which we detect as JAVA_EXPLOYT.NEU takes advantage of the following vulnerabilities:

Systems with versions Java 7 Update 11 and below are vulnerable. When exploited successfully, it downloads a ransomware variant, or TROJ_RANSOM.NTW. Ransomware typically lock computers until users pay a certain amount of money or ransom. Our research paper Police Ransomware Update contains more information on the said threat.

The vulnerabilities covered in CVE-2013-0431 were also exploited in a BlackHole Exploit kit spam run that supposedly came from PayPal. This vulnerability was addressed when Oracle released an out-of-band update, raising issues and concerns. On the other hand, CVE-2012-1723 was also employed by the BlackHole Exploit kit as well as the WhiteHole exploit kit.

Neutrino’s features

The perpetrators of the Neutrino toolkit highlight the following features:

User friendly control panel

Easy management of domain and IP (a countermeasure to AV software)

Continuous monitoring of AV statuses

Traffic filtering

Stealing target system information by means of browser plugin detectors

Encryption of stolen information sent back to the server

Filters what information to send

Appropriate exploit recommendation

Notification of vulnerability support, exploit codes and payloads

Based on an underground forum, the people behind Neutrino also offer a rent on their servers with server maintenance services. Renting the Neutrino kit costs US$40 per day and US$450 for an entire month. According to senior threats researcher Max Goncharov, the perpetrators have been known to buy iframe traffic since 2012 in order to generate profit. They may have built the said toolkit on their own and decided to sell it in the underground.

The methods in Neutrino are quite similar to others; however, the highlighted features in Neutrino mean that attackers are indeed becoming more sophisticated and organized.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: